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Motivation 


Clarify  timing  relationships 
Formalize  analysis  semantics 

•  Clearer  discussions 

•  Enhance  automation  &  frameworks 

•  Combining  analyses 

Avoid  over-specification  of  timing 
Support  reasoning  about  analysis  tasks 
Access  temporal  logic  methods 
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Temporal  Logic 


Logic  with  explicit  inclusion  of  time 

Classically,  first-order  logic,  could  be  any  logic  form 

Temporal  interpretation:  Instantiating  circumstances 

•  Linear  time  with  rollback  on  contradiction 

•  Branching  time  with  branch  termination  on  contradiction 

•  Advantage  to  linear:  simpler  structure,  no  worry  over  paths 

•  Advantage  to  branching:  can  express  path-related  conditions 
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Temporal  Logic  Operators 

Next (t,p)  -  p  is  true  in  the  instant  after  t 

Global(p)  -  p  is  true  independent  of  time 

Following(f,  p)  -  p  is  true  at  some  instant  after  t 

Until (t,p,q)  -  p  is  true  at  each  instant  after  t  until  q  is  true 

Forall  (p)  -  p  is  true  along  all  paths 

Exists  (p)  -  p  is  true  along  at  least  one  path 
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Adaptation  to  Flow 

Description  first,  then  reasoning 


Iterative  semantics  -  suitable  for  filter-like  processing 
Specific  semantics: 

•  5-tuple 

•  Ordinal  time  (inexact  comparisons) 

•  Related  flows 
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Adapted  semantics 

R(f1,f2)  relation  -  flow-flow  connection 


p(f,...),  q(f,...)  -  logic  predicates  on  flow 
records/fields 


Enable  reasoning  using  Horn  clause  resolution  and 
backtracking 


r\ 

'CERT 


Software  Engineering  Institute 


Carnegie  Mellon 


©  2010  Carnegie  Mellon  University  8 


Temporal  Operators  for  Flow 


Globally: 

G(p):  forall(R(f,f)  -►  p(f)  and  p(f )) 

Next: 

N(f,f ):  iff  R(f,f )  and  f  .stime  >  f.stime  and 

HnpQ  not  pyiQt<;  ( 

R(f,f”)  and  f.stime  >  f’.stime  >f.stime) 

N*(f,f):  transitive  relation  on  N 
X(f,p):  forall(N(f,f)  ->p(f )) 

Following: 

F(f,p):  exists(N*(f,f)  and  p(f)) 

Until: 

U(f,p,q): 

exists  (N  (f,f”)  and  q(f”), 

forall  (N*(f,f)  and  f’.stime>f .stime  — >  p(f)  and  not  q(f ))) 
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Descriptive  Temporal  Example 


Spam(s,f): 

R(f,f):  f.sip  =  f .sip  =  s  and  s  not  on  whitelist 
If  and  only  if 

|{f ,  Following(f,f  ,f  .stime  <  f.stime+5m/n  and 
f.dport=ema/'/)}|>15  and 

|{f ,  Following(f,f,  f .stime  <  f.stime+5/77/n  and 
f  .dport=ema/7)}|  > 

|{f ,  Following(f,f ,  f. stime  <  f.stime+5/77/'n)}|  *  0.1 
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Implementation 

Use  temporal  logic  to  express  analysis  criteria 

Prolog-based  (GNU-Prolog) 

Logic  programming,  incorporating  time  in  resolution 

Initial  prototype  to  refine  semantics 

Construct  interface  to  analysis  tools  (plugin) 

Python-based  (PySiLK) 

Declarative  programming,  incorporate  limited 
resolution  mechanism 

Secondary  prototype  to  demonstrate  applicability 

Eventually  construct  reasoning  rules  for  analysis 
relationships  or  proof 
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Conclusions 


Temporal  logic  adaptation  of  flow  analysis  offers 
opportunity  to  encompass  large  literature  of  pre¬ 
existing  methods 


Formalization  of  time  relationships  offers  opportunity 
to  improve  flow  analysis  methods 


More  formal  reasoning  on  flow  analysis? 
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